Cybersecurity is evolving — Strike Graph is leading the way.
Check out our newest resources.
Find answers to all your questions about security, compliance, and certification.
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
Complementary User Entity Controls, or CUECs, are the controls that you, as a SaaS (or other services) company want your customer to have in place in order for them to properly use your service. Listing relevant CUECs is one component of a great System Description (or Section 3). If SOC 2 lingo wasn't mysterious enough, be careful that you don't confuse CUECs with complementary subservice organizations controls, defined and described further down in this post.
Start by reviewing the CUECs within the SOC 2 reports of your own service providers. If you have more than Security in scope, you will also want to add CUECs that address the other Trust Services Criteria (Confidentiality, Availability, Processing Integrity and Privacy) that you include in your report.
The following questions may also be helpful (not all questions will apply, but the answer will lead you to the creation of relevant CUEC):
Your list of CUECs may look like this:
Complementary subservice organizations controls refer to the SOC 2 controls that you expect one of your service providers to perform. Even though they may be performed by another entity, they are still relevant and applicable to your system. Think of it this way - if one of your service providers failed to perform a backup control, or had control deficiencies with a change management control, their errors could impact your system.
The easiest way to approach complementary subservice organization controls is to methodically scan through all of the SOC 2 Criteria and Principles (that are in scope) and then identify any controls that are performed by others according to each category. Place these controls in one column (a summary of the controls is fine) and then in a second column note the associated Trust Services Criteria reference number. For example:
It is common for organizations to rely on their subservice provider(s) to:
Think of your Complementary User Entity Controls in terms of what security practices your customers must be responsible for. When writing your CUECs, make sure that the language you are using is specific, but not so technical that it could be confusing for some of your customers. Think of the complementary subservice organization controls as the controls that you are ‘outsourcing’ to your service provider.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?